Saturday, February 27, 2016

Although originally given a tentative release for the first quarter of 2016, like all good ambiguously dated things Witcher 3’s second and more sizable expansion, Blood and Wine, has been pushed back to the first half of 2016. Which does technically still include the first quarter, but come on. They wouldn’t be giving themselves those extra three months of leeway if they didn’t think they needed it.

So while we may have to wait a bit longer for our next and seemingly final foray in to the life of Geralt of Rivia, we’ve still got enough nuggets of information to dive in, Scrooge McDuck style, and swim on the oceans of speculation until CD Projekt Red lock down dates, deadlines, and details for us all. To that end, and knowing what we know, here are five things that could be done in Blood and Wine that would make it great.

On the surface this is a paper about a TLS implementation, but the really interesting story to me is the attempt to ‘do it right,’ and the techniques and considerations involved in that process. The IT landscape is littered with bug-ridden and vulnerable software – surely we can do better? And if we’re going to make a serious attempt at that, where better than something like a TLS stack – because bugs and vulnerabilities there also expose everything that relies on it – i.e. pretty much the whole of the internet.

The ANSI SQL isolation levels were originally defined in prose, in terms of three specific anomalies that they were designed to prevent. Unsurprisingly, it turns out that those original definitions are somewhat ambiguous and open to both a strict and a broad interpretation. It also turns out that they are not sufficient, since there is one even more basic anomaly not mentioned in the standard that needs to be prevented in order to be able to implement rollback and recovery. Looking even more deeply, the paper uncovers eight different phenomena (anomalies) that can occur, and six different isolation levels.

The main idea of the paper is that the typical failover architecture used when moving from a single datacenter to multiple datacenters doesn’t work well in practice. What does work, where work means using fewer resources while providing high availability and consistency, is a natively multihomed architecture

The job terminations, like the bulk of the media outlet’s work, were first experienced by most Gawker employees in digital, rather than physical space. Deleting the accounts was merely the company’s attempt to assert control of its office space, and Slack’s role in the layoffs simply exemplified where work was actually being done; it also serves as an indicator of, for many employees in the coming years, where it will end.

What happened is when NYSE first allowed [traders] to collocate in the [same building], people started to get into pissing matches over the length of their cables. Just to give you an idea, a foot of cable equates to one nanosecond, which is a billionth of a second. People were getting into pissing matches over a billionth of a second.

...

NYSE measured the distance to the furthest cabinet, which is where people put their servers. It was 185 yards. So they gave every [high-frequency trader] a cable of 185 yards.

Then, traders who were previously closer to the [exchange server] asked to move to the farthest end of the building. Why? Because when a cable is coiled up, there's a light dispersion that is slightly greater than when the cable is straight.

The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe.

Kaminsky goes on to give a high-level summary of how the bug allows attacks:

Somewhat simplified, the attacks depend on:.

A buffer being filled with about 2048 bytes of data from a DNS response

The stub retrying, for whatever reason

Two responses ultimately getting stacked into the same buffer, with over 2048 bytes from the wire

The flaw is linked to the fact that the stack has two outstanding requests at the same time – one for IPv4 addresses, and one for IPv6 addresses. Furthermore DNS can operate over both UDP and TCP, with the ability to upgrade from the former to the latter. There is error handling in DNS, but most errors and retries are handled by the caching resolver, not the stub. That means any weird errors just cause the (safer, more properly written) middlebox to handle the complexity, reducing degrees of freedom for hitting glibc.

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.

Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.

Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.

The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.

O'Donell's explication of the bug is perhaps the greatest debugging/diagnosis/post-mortem write-up of a bug that I think I've ever read.

If you've ever tried to precisely describe a bug, and how it can cause a security vulnerability, you'll know how hard it is to do that both exactly and clearly. Here's how O'Donell does it:

The defect is located in the glibc sources in the following file:
- resolv/res_send.c
as part of the send_dg and send_vc functions which are part of the
__libc_res_nsend (res_nsend) interface which is used by many of the
higher level interfaces including getaddrinfo (indirectly via the DNS
NSS module.)
One way to trigger the buffer mismanagement is like this:
* Have the target attempt a DNS resolution for a domain you control.
- Need to get A and AAAA queries.
* First response is 2048 bytes.
- Fills the alloca buffer entirely with 0 left over.
- send_dg attemps to reuse the user buffer but can't.
- New buffer created but due to bug old alloca buffer is used with new
size of 65535 (size of the malloc'd buffer).
- Response should be valid.
* Send second response.
- This response should be flawed in such a way that it forces
__libc_res_nsend to retry the query. It is sufficient for example to
pick any of the listed failure modes in the code which return zero.
* Send third response.
- The third response can contain 2048 bytes of valid response.
- The remaining 63487 bytes of the response are the attack payload and
the recvfrom smashes the stack with it.
The flaw happens because when send_dg is retried it restarts the query,
but the second time around the answer buffer points to the alloca'd
buffer but with the wrong size.

O'Donell then proceeds to walk you through the bug, line by line, showing how the code in question proceeds, inexorably, down the path to destruction, until it commits the fatal mistake:

So we allocate a new buffer, set *anssizp to MAXPACKET, but fail to set
*ansp to the new buffer, and fail to update *thisanssizp to the new
size.

And, therefore:

So now in __libc_res_nsend the first answer buffer has a recorded size
of MAXPACKET bytes, but is still the same alloca'd space that is only
2048 bytes long.

The send_dg function exits, and we loop in __libc_res_nsend looking for
an answer with the next resolver. The buffers are reused and send_dg is
called again and this time it results in `MAXPACKET - 2048` bytes being
overflowed from the response directly onto the stack.

There's more, too, and O'Donell takes you through all of it, including several other bugs that were much less severe which they uncovered while tracking this down and studying it using tools like valgrind.

O'Donell's patch is very precise, very clearly explained, very thoroughly studied.

But, as Kaminsky points out in today's follow-up, it's still not clear that we understand the extent of the danger of this bug: I Might Be Afraid Of This Ghost

A few people have privately asked me how this particular flaw compares to last year’s issue, dubbed “Ghost” by its finders at Qualys.

...

the constraints on CVE-2015-7547 are “IPv6 compatible getaddrinfo”. That ain’t much. The bug doesn’t even care about the payload, only how much is delivered and if it had to retry.

It’s also a much larger malicious payload we get to work with. Ghost was four bytes (not that that’s not enough, but still).

In Ghost’s defense, we know that flaw can traverse caches, requiring far less access for attackers. CVE-2015-7547 is weird enough that we’re just not sure.

It's fascinating that, apparently due to complete coincidence, the teams at Google and at RedHat uncovered this behavior independently. Better, they figured out a way to coordinate their work:

In the course of our investigation, and to our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. (bug). We couldn't immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers. To our delight, Florian Weimer and Carlos O’Donell of Red Hat had also been studying the bug’s impact, albeit completely independently! Due to the sensitive nature of the issue, the investigation, patch creation, and regression tests performed primarily by Florian and Carlos had continued “off-bug.”

This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users.

It was very interesting to read these articles, and I'm glad that the various teams took the time to share them, and even more glad that companies like RedHat and Google are continuing to fund work like this, because, in the end, this is how software becomes better, painful though that process might be.

Wednesday, February 17, 2016

But what I thought was in a lot of ways much cooler was the technique the team used to build in a process which ensured that they were extremely careful in their analysis, and weren't easily fooled: LIGO-Virgo Blind Injection

The LIGO Scientific Collaboration and the Virgo Collaboration conducted their latest joint observation run (using the LIGO Hanford, LIGO Livingston, Virgo and GEO 600 detectors) from July, 2009 through October 2010, and are jointly searching through the resulting data for gravitational wave signals standing above the detector noise levels. To make sure they get it right, they train and test their search procedures with many simulated signals that are injected into the detectors, or directly into the data streams. The data analysts agreed in advance to a "blind" test: a few carefully-selected members of the collaborations would secretly inject some (zero, one, or maybe more) signals into the data without telling anyone. The secret goes into a "Blind Injection Envelope", to be opened when the searches are complete. Such a "mock data challenge" has the potential to stress-test the full procedure and uncover problems that could not be found in other ways.

It must be really pleasing, in that what-makes-an-engineer-deeply-satisfied sort of way, to open up the Blind Injection Envelope and discover that your analysis was in fact correct.

It isn't a perfect comparison, but I am strongly reminded of the Netflix engineering team's approach to building in fault tolerance and reliability in their systems by intentionally provoking failures: The Netflix Simian Army

Imagine getting a flat tire. Even if you have a spare tire in your trunk, do you know if it is inflated? Do you have the tools to change it? And, most importantly, do you remember how to do it right? One way to make sure you can deal with a flat tire on the freeway, in the rain, in the middle of the night is to poke a hole in your tire once a week in your driveway on a Sunday afternoon and go through the drill of replacing it. This is expensive and time-consuming in the real world, but can be (almost) free and automated in the cloud.

This was our philosophy when we built Chaos Monkey, a tool that randomly disables our production instances to make sure we can survive this common type of failure without any customer impact. The name comes from the idea of unleashing a wild monkey with a weapon in your data center (or cloud region) to randomly shoot down instances and chew through cables -- all the while we continue serving our customers without interruption. By running Chaos Monkey in the middle of a business day, in a carefully monitored environment with engineers standing by to address any problems, we can still learn the lessons about the weaknesses of our system, and build automatic recovery mechanisms to deal with them. So next time an instance fails at 3 am on a Sunday, we won't even notice.

In computing circles, this sort of thing is often gathered under the term Recovery Oriented Computing, but I really like the term "blind injection."

I'm going to remember that, and keep my eye out for places to take advantage of that technique.

President Obama designated three new national monuments in the California desert Thursday, expanding federal protection to 1.8 million acres of landscapes that have retained their natural beauty despite decades of heavy mining, cattle ranching and off-roading.

All three areas lie east of Los Angeles. Two of the new monuments — Castle Mountains and Mojave Trails — are near California's border with Nevada.

And crucially, "the new monuments will link already protected lands, including Joshua Tree National Park, Mojave National Preserve, and fifteen congressionally-designated Wilderness areas, permanently protecting key wildlife corridors and providing plants and animals with the space and elevation range that they will need in order to adapt to the impacts of climate change," the release says.

The designations under the 1906 Antiquities Act connect an array of existing protected areas, including Joshua Tree National Park, Mojave National Preserve and 15 wilderness areas, creating a nearly 10 million-acre arid land reserve that is surpassed only by Namibia’s Namib-Naukluft National Park.

This is the largest of the newly protected areas and spans 1.6 million acres, over 350,000 of which were already protected. The area includes ancient Native American trading routes, a long stretch of Route 66, and World War II training camps. Natural highlights include the Pisgah Crater lava flows, Marble Mountains Fossil Beds, and the Amboy Crater.

The Mojave Trails National Monument links the Mojave National Preserve to Joshua Tree National Park and existing Wilderness Areas, and includes vital wildlife habitat, desert vistas and important Native American cultural sites. Sand to Snow offers some of the most biologically diverse habitats in the country, linking the San Gorgonio Wilderness to Joshua Tree National Park and the San Bernardino National Forest. Some of the finest Joshua tree, piñon pine, and juniper forests in the desert grow in the Castle Mountains National Monument. Given the exceptional historical, ecological, and geological features found in each area – from Route 66 to the Marble Mountains Fossil Beds to desert tortoise and bighorn sheep habitat – these lands are well-deserving of their new national monument status.

“Along with over 100 historians, archaeologists, and other experts, I enthusiastically welcome the designation of the Mojave Trails, Sand to Snow and Castle Mountains National Monuments,” said Dr. Clifford E. Trafzer, Rupert Costo Chair in American Indian Affairs, University of California, Riverside. “President Obama has taken a step forward to preserve not only the beauty of these lands, but also our shared history. Now these places will be better protected against theft and damage of Native American objects and artifacts. With respect and good stewardship, these public lands are repositories of knowledge, just waiting to be understood.”

This is the land of my childhood (well, my middle-school childhood, anyway). It is as harsh and unforgiving a place as exists on the planet, but my oh my is it a treasure for those who take the time to get to know and appreciate it.

Thursday, February 11, 2016

The leaking well is one of 115 injection wells at the 80-year-old, 3,600-acre Aliso Canyon facility, which stores 86 billion cubic feet of gas that serves 11 million people in the Los Angeles basin. Many of those wells are corroded and mechanically damaged, the gas company said.

Yet it is the only field in a distribution area stretching from Porter Ranch 60 miles south to Santa Ana that can ensure reliability in both winter, when homes and businesses use significant amounts of natural gas for heating, and summer, when gas-fired generators supply power to air conditioners.

Efforts to kill the well are being conducted under new orders imposed by the Safety and Enforcement Division of the California Public Utilities Commission in consultation with the state Department of Conservation's Division of Oil, Gas and Geothermal Resources.

If you’re looking to truly understand how Bitcoin works at a technical level and have a basic familiarity with computer science and programming, this book is for you. Researchers and advanced students will find the book useful as well — starting around Chapter 5, most chapters have novel intellectual contributions.

HTTP/2 is the next-generation protocol for transferring information on the web, improving upon HTTP/1.1 with more features leading to better performance. Since then we've seen huge adoption of HTTP/2 from both web servers and browsers, with most now supporting HTTP/2. Over 25% of resources in Chrome are currently served over HTTP/2, compared to less than 5% over SPDY. Based on such strong adoption, starting on May 15th — the anniversary of the HTTP/2 RFC — Chrome will no longer support SPDY.

The Malware Museum is a collection of malware programs, usually viruses, that were distributed in the 1980s and 1990s on home computers. Once they infected a system, they would sometimes show animation or messages that you had been infected. Through the use of emulations, and additionally removing any destructive routines within the viruses, this collection allows you to experience virus infection of decades ago with safety.

I’m not optimistic that, as a group, computer scientists and computing professionals can prevent this disaster from happening: the economic forces driving automation and system integration are too strong. But of course we should try. We also need to think about what we’re going to do if, all of a sudden, a lot of people suddenly expect us to start producing computer systems that actually work, and perhaps hold us accountable when we fail to do so.

Computational-complexity theory focuses on classifying computational problems according to their inherent difficulty. The theory relies on some fundamental abstractions, including that it is useful to classify algorithms according to their worst-case complexity, as it gives us a universal performance guarantee, and that polynomial functions display moderate growth.

I offered the team a more aggressive failure model: we’d dynamically reconfigure the cluster membership during the test. This is a harder problem than consensus with fixed membership: both old and new nodes must gracefully agree on the membership change, ensure that both sets of nodes will agree on any operations performed during the handover, and finally transition to normal consensus on the new set of nodes. The delicate handoff of operations from old nodes to new provides ample opportunities for mistakes.

an instrument called LIGO (the Laser Interferometer Gravitational-Wave Observatory) had apparently observed a “spectacular” direct gravitational wave signal, minute ripples in the fabric of spacetime created by distant and very massive objects—in this case, the collision and merger of two black holes, one 36 times the mass of our Sun, the other 29 times. Einstein first theorized that gravitational waves should exist in 1915, but evidence for them has been indirect so far. LIGO may be the first instrument to ever see them directly, by measuring the slight contraction and expansion of the distance separating distant mirrors.

We asked physicists what they’d be most excited to observe with a fully functioning gravitational wave observatory. Here are their top 5 favorite targets.

The startup industry may be “resetting,” which doesn’t mean a “crash” but rather just a resetting of valuations, timescales, winners/losers, capital sources and the relative emphasis of growth rates vs. burn rates.

Last Friday, LinkedIn, Salesforce and Workday lost $18B in market capitalization. To put that in perspective, these three SaaS companies lost more in market cap on Friday than 15 current SaaS leaders are worth…combined.

How can this be possible? LinkedIn, Salesforce and Workday are growing revenue with sticky customers and they are targeting large addressable markets. Are they now suddenly undesirable companies?

I learned this lesson 127 times between 2000 and 2005. I started investing in 1994 and while there was some bumpiness in 1997 and again in 1999, the real pain happened between 2000 and 2005. I watched, participated, and suffered through every type of creative financing as companies were struggling to raise capital in this time frame. I’ve seen every imaginable type of liquidation preference structure, pay-to-play dynamic, preferred return, ratchet, share/option bonus, option repricing, and carveout. I suffered through the next financing after implementing a complex structure, or a sale of the company, or a liquidation. I’ve spent way too much time with lawyers, rights offerings, liquidation waterfalls, and angry/frustrated people who are calculating share ownership by class to see if they can exert pressure on an outcome that they really can’t impact anyway, and certainly haven’t been constructively contributing to.

The final point I want to bring up here is how codes of conduct should be used. These are not things which should be seen as pseudo-legal or process-oriented documents. If you go this way, people will abuse the system. It is better in my experience to vest responsibility with the maintainers in keeping the peace, not dispensing out justice, and to have codes of conduct aimed at the former, not the latter. Justice is a thorny issue, one philosophers around the world have been arguing about for millennia with no clear resolution.

Sunday, February 7, 2016

The one-hour trek on Highway 101 down the Peninsula to the South Bay might stretch to two hours next week. The Embarcadero and Market Street closures near Super Bowl City, the fan village, are causing painfully slow trips around San Francisco's Ferry Building. Already-jammed BART and Caltrain parking lots could fill by 6 a.m. And 600 or more charter buses will be used to carry fans to the Feb. 7 game at Levi's Stadium in Santa Clara.

Everybody is visiting San Francisco, even though the game isn't played there.

While the game is in Santa Clara, nine days of activities leading up to the game are in San Francisco. That means transportation impacts from January 23 to February 12. Whether you're visiting, working or a resident, plan ahead, pack your patience and take transit, bike or walk where you need to go.

Super Bowl City presented by Verizon is the Host Committee’s free-to-the-public fan village designed to celebrate the milestone Super Bowl 50 and to highlight its unique place in the Bay Area.

The NFL Experience driven by Hyundai, pro football’s interactive theme park, will be hosted by the Bay Area during Super Bowl Week. To be located at the Moscone Center in San Francisco, the NFL Experience celebrates the sport’s history and electrifying atmosphere of Super Bowl.

There are simply too many rooms and not enough guests. "You get a flood of people listing their places and nobody looks at it," says Ian McHenry, a co-founder of research firm Beyond Pricing, which sells rental hosts a service to help calculate how much they should charge. "There’s way too much supply in the market." Of the nearly 10,000 currently active Airbnb listings in the Bay Area this weekend, around 60 percent are still available, according to the San Jose Mercury News.

There's been a significantly-noticable increase in the number of private charter jets flying in and out.

Private jet companies say this year's game could near or top records for previous Super Bowls, given the attractive location, large number of private jet airports in the area and the excitement over the game.

Companies say business is up between 10 and 20 percent over last year. And while consolidated numbers are hard to come by, experts estimate between 1,000 and 1,500 jets could arrive at Oakland, San Jose, Hayward and other California airports.

“Temporary Flight Restrictions will prohibit certain aircraft operations, including unmanned aircraft operations, within a 32-mile radius of the stadium in Santa Clara, Calif. on game day,” reads a statement from the Federal Aviation Administration.

Usually, about a half-dozen private jets might use Panico’s facility at any one time. This weekend, there could be as many as 200. While their owners are attending the modest little sporting event just down the Nimitz Freeway, the planes will be parked wingtip to wingtip. So many $50 million jets will be slumming it in Hayward that the airport will shut down one runway and turn it into a temporary parking lot.

There's plenty of other entertainment. (My co-worker's son is the drummer for the Latin Youth Jazz Ensemble!)

For the musically inclined, there are several acts lined up in the Bay Area to get you ready for the game. Performing at the City Stage in San Francisco on Sunday will be the Latin Youth Jazz Ensemble (3 p.m. ET), John Brothers Piano Company (3:45 p.m. ET) and the Glide Ensemble (5 p.m. ET).

Super Bowl ads are practically an event unto themselves. And when they unfold on the screen this Sunday, viewers will see a reflection of America's diversity.

While Hollywood faces a backlash over an all-white slate of acting nominees for this year’s Oscars, several of the TV spots airing during the big game will feature actors, athletes and characters who represent a range of ethnicity, generations, and sexual orientations.

Friday, February 5, 2016

The Witcher School is a LARP for adults inspired by "The Witcher" series and the fantasy book series by Andrzej Sapkowski.

During the game you will become an apprentice going through a rigorous witcher training: you will learn fencing, archery and alchemy; you will hunt monsters, unveil secrets and intrigues; and finally, you will face tough choices and discover the consequences the hard way.
You will move to Moszna Castle in Poland, redecorated for our needs and transformed into a real witchers' abode where you will meet famous characters known from "The Witcher" books and games.

The "Design Document" goes on to elaborate:

Up to this point, you could only read about this or see this on the screen of your TV or PC. But here... if you want to slash your enemy with a sword you do not have to imagine doing that, or push a button on your controller. What you have to do here is to do it for real. You will learn how to brew potions using real ingredients, and what gestures are needed to use witcher signs. And these are only a few of the things you will be able to learn. You will be an integral part of the live action. This will be an opportunity to immerse yourself in a well-known setting of The Witcher and live your own unforgettable adventure.

Thursday, February 4, 2016

there are multiple 3rd party implementations that will try to solve the problem, many of them using similar paradigm as a solution. In this blog post I will go through seven alternative approaches for handling large binary files in Git repositories with respective their pros and cons.

my experience with Annex is that it’s full-featured and a bit less focused in its approach. It’s easy enough to check in files and sync them among various locations, but there are also testing tools, a web-based GUI, and lots of options you can use in different situations. The git-annex project site reveals a lot: plenty of features, updates, discussions, and enough threads that some sort of trail off.

Git LFS is at the other end of things: a bit nicer-looking, a bit more straightforward, and significantly simpler. Tack it on to your repository, tell it what kind of files to watch, and then pretty much forget about it. If you check in a file (with a normal git add whatever.mp4), the magic happens via a pre-push hook where LFS will check your watch list and spring into action if needed. It otherwise blends in after minimal configuration.

This new unlocked file mode uses git's smudge/clean filters, and I was busy developing it all through December. It started out playing catch-up with git-lfs somewhat, but has significantly surpassed it now in several ways.

So, if you had tried git-annex before, but found it didn't meet your needs, you may want to give it another look now.

Monday, February 1, 2016

The combined changes in networking, memory, storage, and processors that are heading towards our data centers will bring about profound changes to the way we design and build distributed systems, and our understanding of what is possible. Today I’d like to take a moment to summarise what we’ve been learning over the past few weeks and months about these advances and their implications.

While most distributed systems handle machine-level failures well, handling datacenter-level failures is less common. In our experience, handling datacenter-level failures is critical for running true high availability systems. Most of our systems (e.g. Photon, F1, Mesa) now support multi-homing as a fundamental design property. Multi-homed systems run live in multiple datacenters all the time, adaptively moving load between datacenters, with the ability to handle outages of any scale completely transparently. This paper focuses primarily on stream processing systems, and describes our general approaches for building high availability multi-homed systems, discusses common challenges and solutions, and shares what we have learned in building and running these large-scale systems for over ten years.

It wasn't that long ago that computation was expensive, disk storage was expensive, DRAM (dynamic random access memory) was expensive, but coordination with latches was cheap. Now all these have changed using cheap computation (with many-core), cheap commodity disks, and cheap DRAM and SSDs (solid-state drives), while coordination with latches has become harder because latch latency loses lots of instruction opportunities. Keeping immutable copies of lots of data is now affordable, and one payoff is reduced coordination challenges.

I have been reading up a bit by bit on efficient data structures, primarily from the perspective of memory utilization. Data structures that provide constant lookup time with minimal memory utilization can give a significant performance boost since access to CPU cache is considerably faster than access to RAM. This post is a compendium of a few data structures I came across and salient aspects about them

Last month saw the 43rd edition of the ACM SIGPLAN-SIGACT Symposium on the Principles of Programming Languages (POPL). Gabriel Scherer did a wonderful job of gathering links to all of the accepted papers in a GitHub repo. For this week, I’ve chosen five papers from the conference that caught my eye.

NSA tiger teams follow a six-stage process when attempting to crack a target, he explained. These are reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.

Amazon Chief Executive Officer Jeff Bezos has spent more than two decades reinvesting earnings back into the company. That steadfast refusal to strive for profitability never seemed to hurt the company or its stock price, and Amazon’s market value (now about $275 billion) passed Wal-Mart’s last year. All the cash it generated went into infrastructure development, logistics and technology; it experimented with new products and services, entered new markets, tried out new retail segments, all while capturing a sizable share of the market for e-commerce.

Silicon Valley is full of startups who fetishize the candidate that comes into the interview, answers a few clever fantasy coding challenges, and ultimately ends up the award-winning hire that will surely implement the elusive algorithm that will herald a new era of profitability for the fledging VC-backed company.

Silicon Valley is full of startups who fetishize the candidate that comes into the interview, answers a few clever fantasy coding challenges, and ultimately ends up the award-winning hire that will surely implement the elusive algorithm that will herald a new era of profitability for the fledging VC-backed company.

he was like - wait a minute I read this really cute puzzle last week and I must ask you this - there are n sailors and m beer bottles and something to do with bottles being passed around and one of the bottles containing a poison and one of the sailors being dishonest and something about identifying that dishonest sailor before you consume the poison and die. I truly wished I had consumed the poison instead of laboring through that mess.

Programmers use computers. It's what we do and where we spend our time. If you can't at least give me a text editor and the toolchain for the language(s) you're interested in me using, you're wasting both our time. While I'm not afraid of using a whiteboard to help illustrate general problems, if you're asking me to write code on a whiteboard and judging me based on that, you're taking me out of my element and I'm not giving you a representative picture of who I am or how I code.

Don't get me wrong, whiteboards can be a great interview tool. Some of the best questions I've been asked have been presented to me on a whiteboard, but a whiteboard was used to explain the concept, the interviewer wrote down what I said and used that to help frame a solution to the problem. It was a very different situation than "write code for me on the whiteboard."